...
DO NOT
Common antipattern is to make a login call before each call to server. This results in a lot of refresh tokens being active for prolonged period of time which is potential security hazard. Moreover, login operation is time consuming by design, so by logging in before every call you decrease the performance of your system.
DO
Save both access and refresh tokens and provide access token value in Authorization header. When it expires, use <> call to acquire new access token using stored refresh token (explained in more details below)
Refresh token
To continue being be able to call server after access token expiration client should call LoginWithRefreshToken
method accessible by path api/security/authentication/loginWithRefreshToken
. Method does not require authorization header, therefore it can be used after access token expiration time (but before refresh token expiration). It accepts following parameters:
...